goodrcptto-ms-tls-12-patch

This is a goodrcptto patch for netqmail-1.05-tls-20040419 andqmail-smtpd-viruscan-1.3 patched qmail-1.03 or netqmail-1.05:http://www.netdevice.com/qmail/patch/goodrcptto-ms-tls-12-patchSee http://qmail.org/qmail-smtpd-viruscan-1.3.patch,http://inoa.net/qmail-tls/netqmail-1.05-tls-20040419.patch andhttp://cr.yp.to/qmail.html or http://qmail.org/netqmail/.

A qmail server will normally accept email for any recipient address at a domain.This patch causes the server to reject single recipient email to an invalidrecipient, and filter out the invalid recipients from multiple recipient email,while accepting the message for the valid recipients.This occurs during the initial SMTP conversation for a reduction in disk I/O.The server rejects attempts to queue messages to non existent recipients, andjoe job bounces to forged recipients, preventing them from becoming doublebounces.To prevent dictionary attacks, the transmission channel is closed after thenumber of bad recipients set in control/brtlimit or BRTLIMIT, two by default.Repeated attempts from the same IPs may be handled by a cron that looks at thelogs and updates tcprules accordingly.

A goodrcptto list and or moregoodrcptto database is maintained.Relay and accept clients are not held to the address check, control/brtlimit orBRTLIMIT.If you need to wildcard domains, list them one per line like @example.netin control/goodrcptto only.Recipient addresses like name@example.com may be included in control/goodrcptto,but the check will run fastest if you put these into control/moregoodrcptto,then into control/moregoodrcptto.cdb using qmail-newmgrt.A check against a 50,000 address moregoodrcptto.cdb is virtually instantaneouson a 300Mhz machine.

A user may want to participate in mailing list discussions, but doesn't wantspam or off list replies to her now public address.Set ACCEPTCLIENT="" for the IPs of the mailing list servers with tcprules, andput the recipient address in control/protectedgood instead.

For an example of how to automate this process, see the parent directory for aninteractive user run script where one can remotely add, remove or list theirdisposable alias addresses, and the mail server cron that keeps themoregoodrcptto.cdb up to date.The patch assumes a Dave Sill type of installation with regards to extra controlfiles concurrencyincoming and defaultdelivery, see http://lifewithqmail.org.

Use http@ to get the patch onto your box, tab characters must be preserved.Here are examples of how to patch.

2003-06-08 01: Original version, based on John Levine's badrcptto patch: http://www.iecc.com/bad-rcpt-noisy-patch.txt2003-06-15 02: Added support for domain wildcarding.2003-06-15 03: Running qmail-showctl also shows good recipient addresses.2003-07-01 04: The pid for the connection is included in the log.2003-07-11 05: Experimental.2003-07-13 06: Experimental.2003-07-20 07: Removed the message block on a mix of good and bad recipients. Allowed for only using a goodrcptto list. Corrected an error in the qmail-showctl.c patch.2003-09-02 08: Added publicly known recipient address protection using an ACCEPTCLIENT tcprules variable.2003-10-04 09: Running qmail-showctl also shows protected recipient addresses.2003-11-07 10: Discontinued the non logging version of goodrcptto. Added dictionary attack prevention within qmail-smtpd using control/brtlimit and or BRTLIMIT. Updated the qmail-smtpd.8 man page patch regarding ACCEPTCLIENT, control/brtlimit and BRTLIMIT. Updated the qmail-control.9 man page patch regarding brtlimit, concurrencyincoming, defaultdelivery, goodrcptto, moregoodrcptto and protectedgood.2004-02-14 11: Code cleanup and standardization with tcpserver logging at getpid. This single patch works with both qmail-1.03 and netqmail-1.05. The brtcount is continued across rsets.2004-03-05 12: Accounted for the s/executable/such/ change to qmail-smtpd-viruscan-1.3.patch. Added rcpttos, mailfrom and helohost to rejected content logging.